Posted
by
CmdrTaco
on Sunday October 07, 2007 @09:11AM
from the because-you-can dept.

Fudgie writes "My boss claimed it was pretty much impossible to create an entertaining way to visualize server traffic and events in a short time frame, so of course I had to prove him wrong. A weekend of neglecting my family produced a small ruby program which connects to your servers via SSH, grabs and parses data from Apaches access log and Ruby on Rails production log, and displays your traffic and statistics in real-time using a simple OpenGL interface (tested under Linux and Mac OS/X). It's a bit hard to explain over text, so please have a look at fudgie.org for an example movie, and more information."

Just want to give props, very nice you made my morning. Now to convert this to a heads up display for my helmet and I'm 1 step closer to becoming the motorcycle hacker I always dreamed I could be. And 1 step closer to earning a darwin award...

Obligatory jokes about 'taking the piss' aside, that is brilliant. It's the ultimate 'machine that does ping' (to name an old sketch) to keep management amused, but also provides real data. I bet that screen will go ballistic when you get Slashdotted (also a good way to visualise DDoS, maybe?).

I was about to say that it's a sort of etherape on steroids, but I've just realised your visualisation could benefit etherape instead (if you don't know etherape, look it up. No tools identifies a virus infection quicker).

Notice in the movie that one of the sites being monitored is fudgie.org, which is what is linked to here. This looks like a ploy to visualize the slashdot effect.:) Wonder what that must look like. Might tax the renderer pretty hard. I guess that is one way to get load testing done!

I just ran it through 10,000 Apache requests. After a minute and a half or so it stopped spewing dots from most of the graphs other than the "Content" ones, which spewed for about 8 minutes. In all those logs (about 60 seconds of activity) took 6 minutes 22 seconds CPU time on a 1.66GHz Core Duo Mac Mini.Most of that time seems to have been spent drawing dots at maximum speed spewing out of the "Content" lines; maybe they need to increase speed in response to higher request rates so it's not waiting for t

Well, each stream seems to have a maximum rate it can spew out dots; if you exceed that, they back up. If you can spew out 1,000 dots from each stream in a minute but you've got 10,000 to actually spew through it, it's going to take 10 minutes doing it.

Very nice. One suggestion: rather than have each side's dots fall off at the bottom of the opposite side, how about matching up serving requests with the originating referral so that the dots go to the corresponding spot on the right? Also, if you're not familiar with Flight Patterns [ucla.edu] it's along the same lines. Borrowing from that, it'd be quite interesting to show a 2D map arranged in a hub and spoke model with the center being the site(s) and the spokes representing the top 10 (or 20... configurable) re

Interesting idea. Shouldn't be too hard to try something like that, I already have some code in there doing something similar meant for incoming emails, uploads and other data going into the servers/sites.
Try adding:type => 5 to the URL activities for an example.
-- Erlend

"Certain processes are vital to the computer's operation and should not be killed. For example, after I took the screenshot of myself being attacked by csh, csh was shot by friendly fire from behind, possibly by tcsh or xv, and my session was abruptly terminated."

We're finally catching up to movies now... you know the cheesy and disconnected from reality sequence where some hackers enters a system by navigating a 3D maze... and the firewall is a monster you have to literally kill. The movie Masterminds comes to mind.

Agreed. I saw something similar a few years ago, but this seems a bit more refined. I think there's actually a lot you can do when combining a graphics rendering engine with something like network activity. All it takes is a little creativity, a little time, and a boss who says it can't be done.

Luckily, I saw the movie before the meltdown of the server. It always pays to be on time.;)

For those unlucky and late, actually, you missed a competition of peeing coloured snowflakes from the right versus doing the same from the left.Only, the sources on the left are much better at aiming.Plus, you have some 'Login...' scrolling top to bottom; like the cast of a movie.

Heads up, Fudgie, it is truely the most amazing display of log files ever creeping across my eyes.Keep the good work up, and please post again when you have something actually useful for the sysadmin.

Hey, this is not the correct way to apply the GNU GPL licence. I don't know whether you had very little time available or just don't care, but the correct way is to explain exactly what licence (full title) the program is under and enable the user to find the licence (provide a copy of it and explain that the author of the licence is FSF, giving their address). We nerds of course understand completely what you mean, but other people may have no idea what you are talking about. To learn how to apply GPL

It's both harder for me to track a scrolling display of text moving in erratic bursts, and processing the information in each line than it is to take a quick glance at a screen and see if there are many small dots or few large ones.

Why use ssh + tail -f when one can send the output to a centralized syslog server? There isn't any need to setup an account, keys, etc. when you can have the individual servers consolidate the data for you.

Remote syslog also means that your servers are more secure: (a) because it is harder for crackers to falsify remote logs as they need to compromise two machines, not just one; and (b) because your visualisation program doesn't need access to SSH keys for all of the machines it monitors, so a compromise on the visualisation computer doesn't automatically mean that all of the servers can also be compromised. However, you could presumably adapt this tool to use syslog quite easily.

I'm sorry; I know your comment is old, but: no. No, no. No no no no no.

syslog is insecure; messages are unauthenticated. Don't believe me? Use the logger(1) utility to forge a message from any daemon on your system, as an unprivileged user. Send a UDP packet to an open syslog daemon to forge a message to look as if it came from any daemon on the originating host. Forge that UDP packet as if it came from any system in the world; there's no two-way handshake to verify the path to the sender is legitim

That is a very good point. I'm used to dealing with scales beyond a single node;) where you have access to such things.

In any case, I'm considering borrowing the idea and using it to 'watch' blocks on HDFS [apache.org]. I think it would be interesting to have a visual of blocks/files getting read/written/replicated. It might show patterns that we're otherwise not seeing.

fastfinge> I used to have a program that would play a musical note every time someone hit a port. so for each port it would have a different note
fastfinge> i put it in the dmz
fastfinge> much musical entertainment
fastfinge> I should find the source for that thing again. i could change midi intruments depending on the type of packet.
fastfinge> or maybe create length and timbre data from the source IP?
2006-09-20

We did something similar like 10 years ago, hooking the log-file to the sound server where each port hat its individual sound and the frequency of connects directly related to the respective sound's volume.

Was rather interesting as you actually could *hear* all those Windows trojans and worms trying to dig their way into your (Linux) system.

It *really* shows that this was hacked together over a weekend. I've spent 15 minutes trying to get it to run, and all I see are Ruby warnings about about obsolete code, and failed dependencies. I've installed about a dozen packages to try to satisfy this beast's dependency hunger, but to no avail. Behold:

Anything put into a logfile could be parsed and shown. I've tried with emails, shoutcast listeners and server logins, but they're not as interesting to show in the movie as I don't have the kind of traffic to make it useful.

I believe this sort of tool is useful for realtime monitoring of net resources utilization. It can assist you giving graphic clues when something goes out of the usual parameters, like DDoS, slashdotments (sp?), router failure, etc. Depending on information being monitored and how it is displayed, it could also be used for long-term decision like buying more hardware or switching software because the current setup is not handling the load.

A place I used to work is now trying to develop something like this: visualizations where you can tell trouble is brewing in a glance

If you just install any of the standard RRDTool frontends out there, e.g. cacti, or my personal favorite, munin (far easier to install/extend/use than cacti), and check them regularly, it's not hard to tell when something's wrong. Traffic and usage patterns are pretty consistent from week to week on the boxes I've administered. After a month of checking graphs in munin daily

you can choose whatever method you like when your whole IP stack is SSL encrypted, like mine.

That doesn't make it secure. SSH also has an authentication protocol, and it's per-user. If yours is per-IP-stack, you already lost -- both because we already have that (in the form of VPNs and ipsec) and because it's not secure (anyone who can connect to the server can authenticate).

So once again: What method of RPC would you use instead of SSH? Telnet? Last I checked, it won't do RSA authentication -- it's reall

Sure it can. You'd just need to send the sudo-command line, and send the password if you got a password prompt in return. Or you could just let other users read the access log for a while, so see how it looks before you decide if this is something you'd like to try.

A lot of my time at work is spent looking at logfiles from webservers, applications servers, and databases looking for things about to break down, but after I introduced this I just need to glance at a screen to instantly see if some server has stopped answering, is taking too long to answer, or is generating way more exceptions than normal.
I also add an event (the login text bouncing down the screen in the movie) on each money generating activity, which always amazes marketing people when they walk by.